EPA finalizes cyber technical support plan

Recently, the U.S. EPA’s Office of Water finalized a report describing how it plans to provide voluntary cybersecurity technical support to drinking water systems, the second of two cyber-related actions that were mandated by Congress last year as part of the Bipartisan Infrastructure Law.

The infrastructure law first required EPA to develop a “prioritization framework” to identify public water systems that “if degraded or rendered inoperable due to an incident, would lead to significant impacts on the health and safety of the public.” The Association of Metropolitan Water Agencies described that frameworkwhich was released in May, and outlined how EPA would prioritize delivering technical cybersecurity aid to water systems during a scenario where the demand for such aid outstripped the agency’s near-term capacity to provide it. The framework explained that EPA would prioritize delivering aid based on factors such as the risk to downstream critical infrastructure and national security assets, the capabilities of water systems to address vulnerabilities without federal support, and the risk reduction benefits that would be achieved as a result of the support.

Second, EPA was directed to develop a Technical Cybersecurity Support Plan for public water systems. The report was to include specific EPA and DHS cybersecurity resources that may be utilized by water systems, timelines for making voluntary technical support available to water systems, and a list describing systems in need of technical support.

In August, EPA released a new support plan that includes four categories of technical cybersecurity support currently available to public water systems, such as the Vulnerability Self-Assessment Tool and the Cybersecurity Incident Action Checklist. It further explained that EPA would make additional resources available beginning in 2023, such as a checklist of cybersecurity best practices for small water systems, and new technical support to help public water systems address vulnerabilities in current cybersecurity practices.

During development of the infrastructure law last year, AMWA expressed concerns to congressional staff about the provision in the bill requiring EPA to “list” water systems in need of additional technical support, warning that it could guide hackers and cyber criminals toward unprepared water systems. Fortunately, AMWA says, EPA’s report did not include an actual named list of water systems. Instead, the agency broadly identified “two situations where [public water systems] may have an elevated need for technical cybersecurity support”: small water systems that were not required to complete a risk and resilience assessment under America’s Water Infrastructure Act of 2018, and where vulnerabilities are identified during a water system’s cybersecurity assessment.

Congress is expected to continue to have an interest in water system cybersecurity, so AMWA will continue to promote legislative and regulatory approaches that boost cyber defenses without imposing new regulatory burdens or inadvertently increasing risk.

Sources: EPA, Association of Metropolitan Water Agencies

Leave a Reply

Your email address will not be published. Required fields are marked *